Report of Investigation Pursuant to Section 21(a) of the Securities Exchange Act of 1934 Regarding Certain Cyber-Related Frauds Perpetrated Against Public Companies and Related Internal Accounting Controls Requirements
Citation Securities and Exchange Commission, Report of Investigation Pursuant to Section 21(a) of the Securities Exchange Act of 1934 Regarding Certain Cyber-Related Frauds Perpetrated Against Public Companies and Related Internal Accounting Controls Requirements (Oct. 18, 2018) (full-text). Overview The U.S. Securities and Exchange Commission's ("Commission") Division of Enforcement ("Division"), in consultation with the Division of Corporation Finance and the Office of the Chief Accountant, investigated whether certain public issuers that were victims of cyber-related frauds may have violated the federal securities laws by failing to have a sufficient system of internal accounting controls. The issuers — a group that spans numerous industries — each lost millions of dollars as a result of cyber-related frauds. In those frauds, company personnel received spoofed or otherwise compromised electronic communications purporting to be from a company executive or vendor, causing the personnel to wire large sums or pay invoices to accounts controlled by the perpetrators of the scheme. Spoofed or manipulated electronic communications are an increasingly familiar and pervasive problem, exposing individuals and companies, including public companies, particularly those that engage in transactions with foreign customers or suppliers, to significant risks and financial losses. The Federal Bureau of Investigation recently estimated that these so-called "business email compromises" had caused over $5 billion in losses since 2013, with an additional $675 million in adjusted losses in 2017 — the highest estimated out-of-pocket losses from any class of cyber-facilitated crime during this period.FBI, 2017 Internet Crime Report at 12, 21 (issued May 7, 2018) (full-text) ("FBI Internet Crime Report") (the FBI defines business email comprise as "a sophisticated scam targeting businesses that often work with foreign suppliers and/or businesses and regularly perform wire transfer payments," and includes frauds impacting both private and public companies); FBI, Public Service Announcement: E-Mail Account Compromise the 5 Billion Dollar Scam (May 4, 2017), (full-text) (“FBI PSA”); see also Proofpoint, 2017 Email Fraud Threat Report at 3 (Feb. 12, 2018) (full-text) (finding that by the fourth quarter of 2017, nearly 89% of all organizations were targeted by at least one attack, over a 13% increase from the fourth quarter of 2016). In connection with the investigation, the Commission considered whether the issuers complied with the requirements of Sections 13(b)(2)(B)(i) and (iii) of the Securities Exchange Act of 1934 (“Exchange Act”).15 U.S.C. § 78m(b)(2)(B)(i) & (iii). Those provisions require certain issuers to devise and maintain a system of internal accounting controls sufficient to provide reasonable assurances that transactions are executed with, or that access to company assets is permitted only with, management's general or specific authorization.The issuers with these Section 13(b)(2) obligations are those that have a class of securities registered with the Commission under Section 12 of the Exchange Act or that must file reports with the Commission under Section 15(d) of the Exchange Act. 15 U.S.C. § 78m(b)(6). Also the level of reasonable assurances required under these provisions is defined as such "degree of assurance as would satisfy prudent officials in the conduct of their own affairs." 15 U.S.C. § 78m(b)(7). As the Senate emphasized over four decades ago when passing these provisions, "a fundamental aspect of management's stewardship responsibility is to provide shareholders with reasonable assurances that the business is adequately controlled."S. Rep. No. 95-114, at 8 (1977) ("1977 Senate Report"); see also Promotion of the Reliability of Financial Information and Prevention of the Concealment of Questionable or Illegal Corporate Payments and Practices, Exchange Act Release No. 15570, at 6 (Feb. 15, 1979) (adopting release) ("An equally important objective of the new law . . . is the goal of corporate accountability."). While the cyber-related threats posed to issuers' assets are relatively new, the expectation that issuers will have sufficient internal accounting controls and that those controls will be reviewed and updated as circumstances warrant is not. The Commission has determined not to pursue an enforcement action in these matters based on the conduct and activities of these public issuers that are known to the Commission at this time. The Commission, however, deems it appropriate and in the public interest to issue this Report of Investigation ("Report") pursuant to Section 21(a) of the Exchange Act to make issuers and other market participants aware that these cyber-related threats of spoofed or manipulated electronic communications exist and should be considered when devising and maintaining a system of internal accounting controls as required by the federal securities laws. Having sufficient internal accounting controls plays an important role in an issuer's risk management approach to external cyber-related threats, and, ultimately, in the protection of investors. References Category:Publication Category:Fraud Category:Cybercrime Category:2018